[ISN] Security hole found in Mozilla browser

InfoSec News isn at c4i.org
Fri Jul 9 06:36:59 EDT 2004


http://news.com.com/Security+hole+found+in+Mozilla+browser/2100-1002_3-5262676.html

By Robert Lemos and John Borland 
Staff Writer, CNET News.com
July 8, 2004
               
update: Developers at the open-source Mozilla Foundation have
confirmed that the latest version of their Web browsers have a
security flaw that could allows attackers to run existing programs on
the Windows XP operating system.

The flaw, known as the "shell" exploit, was publicized Wednesday on a
security mailing list, along with a link to a fix for the problem.  
Updated versions of the affected software programs, which include the
Mozilla, Firefox and Thunderbird browsers, have been released.

Developers said the flaw affected only Windows users, not computers
running either the Macintosh or Linux operating systems. Like recent
Internet Explorer vulnerabilities, this flaw only allows the attacker
the ability to run an existing program and requires that security
problems in other applications be exploited to gain further access.

The flaw can be used to pass a file extension to the operating system.  
Windows XP will then run the helper application corresponding to that
file extension. The main threat comes from the ability of an attacker
to pass parameters to exploit vulnerabilities in a specific helper
application, which could give an outsider access to the system. A
shell problem could also cause the computer to freeze.

The news comes as Microsoft has been dealing with a string of security
flaws found in its Internet Explorer browser during the past several
weeks. Some researchers had begun recommending that people worried
about online security stop using the IE browser altogether.

Microsoft recommends that Web surfers using Internet Explorer keep
abreast of the latest security warnings, and go to the company's
Protect Your PC site.

Mozilla developers said that future versions of the Firefox Web
browser would have automatic update notifications that would make it
easier to notify users about security fixes.





More information about the ISN mailing list